rpms/selinux-policy/devel .cvsignore, 1.26, 1.27 modules-targeted.conf, 1.11, 1.12 policy-20060104.patch, 1.16, 1.17 selinux-policy.spec, 1.87, 1.88 sources, 1.28, 1.29
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jan 19 19:08:49 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv27348
Modified Files:
.cvsignore modules-targeted.conf policy-20060104.patch
selinux-policy.spec sources
Log Message:
* Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.2-1
- Update to upstream
- Turn off execheap execstack for unconfined users
- Add mono/wine policy to allow execheap and execstack for them
- Add execheap for Xdm policy
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- .cvsignore 17 Jan 2006 22:47:11 -0000 1.26
+++ .cvsignore 19 Jan 2006 19:08:32 -0000 1.27
@@ -27,3 +27,4 @@
serefpolicy-2.1.11.tgz
serefpolicy-2.1.12.tgz
serefpolicy-2.1.13.tgz
+serefpolicy-2.2.2.tgz
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- modules-targeted.conf 9 Jan 2006 20:14:17 -0000 1.11
+++ modules-targeted.conf 19 Jan 2006 19:08:32 -0000 1.12
@@ -1001,3 +1001,10 @@
#
wine = base
+# Layer: apps
+# Module: mono
+#
+# mono executable
+#
+mono = base
+
policy-20060104.patch:
Makefile | 2 +-
policy/global_tunables | 4 ++++
policy/modules/admin/logwatch.te | 7 +++++++
policy/modules/apps/java.te | 1 +
policy/modules/apps/mono.fc | 2 ++
policy/modules/apps/mono.if | 23 +++++++++++++++++++++++
policy/modules/apps/mono.te | 25 +++++++++++++++++++++++++
policy/modules/apps/wine.fc | 2 ++
policy/modules/apps/wine.if | 23 +++++++++++++++++++++++
policy/modules/apps/wine.te | 25 +++++++++++++++++++++++++
policy/modules/kernel/domain.if | 2 +-
policy/modules/kernel/filesystem.if | 16 ++++++++++++++++
policy/modules/services/bind.if | 1 +
policy/modules/services/xdm.te | 2 +-
policy/modules/system/libraries.fc | 2 +-
policy/modules/system/unconfined.if | 6 ++++++
policy/modules/system/unconfined.te | 15 ++++++++-------
policy/users | 8 +++++---
18 files changed, 152 insertions(+), 14 deletions(-)
Index: policy-20060104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060104.patch,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- policy-20060104.patch 17 Jan 2006 22:47:11 -0000 1.16
+++ policy-20060104.patch 19 Jan 2006 19:08:32 -0000 1.17
@@ -1,14 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-2.1.13/Changelog
---- nsaserefpolicy/Changelog 2006-01-17 17:08:50.000000000 -0500
-+++ serefpolicy-2.1.13/Changelog 2006-01-17 17:43:28.000000000 -0500
-@@ -1,4 +1,3 @@
--* Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
- - Adds support for generating corenetwork interfaces based on attributes
- in addition to types.
- - Permits the listing of multiple nodes in a network_node() that will be
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.13/Makefile
---- nsaserefpolicy/Makefile 2006-01-13 09:48:25.000000000 -0500
-+++ serefpolicy-2.1.13/Makefile 2006-01-17 17:43:28.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.2.2/Makefile
+--- nsaserefpolicy/Makefile 2006-01-19 10:00:35.000000000 -0500
++++ serefpolicy-2.2.2/Makefile 2006-01-19 10:42:14.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
@@ -18,15 +10,130 @@
override CHECKPOLICY += -M
override CHECKMODULE += -M
endif
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.1.13/policy/modules/apps/wine.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.2/policy/global_tunables
+--- nsaserefpolicy/policy/global_tunables 2006-01-13 09:48:26.000000000 -0500
++++ serefpolicy-2.2.2/policy/global_tunables 2006-01-19 10:55:45.000000000 -0500
+@@ -22,6 +22,10 @@
+
+ ## Allow making the stack executable via mprotect.
+ ## Also requires allow_execmem.
++gen_tunable(allow_execheap,false)
++
++## Allow making the stack executable via mprotect.
++## Also requires allow_execmem.
+ gen_tunable(allow_execstack,false)
+
+ ## Allow ftp servers to modify public files
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.2/policy/modules/admin/logwatch.te
+--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-01-13 17:06:02.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/admin/logwatch.te 2006-01-19 11:23:59.000000000 -0500
+@@ -38,6 +38,7 @@
+ kernel_read_kernel_sysctl(logwatch_t)
+ kernel_read_system_state(logwatch_t)
+
++corecmd_read_sbin_symlink(logwatch_t)
+ corecmd_read_sbin_file(logwatch_t)
+ corecmd_exec_bin(logwatch_t)
+ corecmd_exec_shell(logwatch_t)
+@@ -68,6 +69,8 @@
+
+ miscfiles_read_localization(logwatch_t)
+
++selinux_dontaudit_getattr_dir(logwatch_t)
++
+ userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
+ userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
+
+@@ -94,6 +97,10 @@
+ nscd_use_socket(logwatch_t)
+ ')
+
++optional_policy(`ntp',`
++ ntp_domtrans(logwatch_t)
++')
++
+ optional_policy(`rpc',`
+ rpc_search_nfs_state_data(logwatch_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.2/policy/modules/apps/java.te
+--- nsaserefpolicy/policy/modules/apps/java.te 2006-01-12 18:28:45.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/apps/java.te 2006-01-19 13:05:16.000000000 -0500
+@@ -8,3 +8,4 @@
+
+ type java_exec_t;
+ files_type(java_exec_t)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-2.2.2/policy/modules/apps/mono.fc
+--- nsaserefpolicy/policy/modules/apps/mono.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/apps/mono.fc 2006-01-19 12:46:09.000000000 -0500
+@@ -0,0 +1,2 @@
++/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.2/policy/modules/apps/mono.if
+--- nsaserefpolicy/policy/modules/apps/mono.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/apps/mono.if 2006-01-19 12:46:09.000000000 -0500
+@@ -0,0 +1,23 @@
++## <summary>Load keyboard mappings.</summary>
++
++########################################
++## <summary>
++## Execute the mono program in the mono domain.
++## </summary>
++## <param name="domain">
++## The type of the process performing this action.
++## </param>
++#
++interface(`mono_domtrans',`
++ gen_require(`
++ type mono_t, mono_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1, mono_exec_t, mono_t)
++
++ allow $1 mono_t:fd use;
++ allow mono_t $1:fd use;
++ allow mono_t $1:fifo_file rw_file_perms;
++ allow mono_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.2/policy/modules/apps/mono.te
+--- nsaserefpolicy/policy/modules/apps/mono.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/apps/mono.te 2006-01-19 13:29:46.000000000 -0500
+@@ -0,0 +1,25 @@
++policy_module(mono,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mono_t;
++domain_type(mono_t)
++
++type mono_exec_t;
++domain_entry_file(mono_t,mono_exec_t)
++
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++ allow mono_t self:process execheap;
++ unconfined_domain_template(mono_t)
++ role system_r types mono_t;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.2.2/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/apps/wine.fc 2006-01-17 17:43:28.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/apps/wine.fc 2006-01-19 10:58:16.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.1.13/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.2.2/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/apps/wine.if 2006-01-17 17:43:28.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/apps/wine.if 2006-01-19 10:58:17.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
@@ -51,10 +158,10 @@
+ allow wine_t $1:fifo_file rw_file_perms;
+ allow wine_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.1.13/policy/modules/apps/wine.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.2/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/apps/wine.te 2006-01-17 17:43:28.000000000 -0500
-@@ -0,0 +1,27 @@
++++ serefpolicy-2.2.2/policy/modules/apps/wine.te 2006-01-19 13:30:34.000000000 -0500
+@@ -0,0 +1,25 @@
+policy_module(wine,1.0.0)
+
+########################################
@@ -75,150 +182,133 @@
+#
+
+ifdef(`targeted_policy',`
-+ allow wine_t self:process execmem;
++ allow wine_t self:process { execstack execmem };
+ unconfined_domain_template(wine_t)
-+ unconfined_domtrans(wine_t)
+ role system_r types wine_t;
+ allow wine_t file_type:file execmod;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.2.2/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if 2006-01-19 10:00:40.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/kernel/domain.if 2006-01-19 10:42:31.000000000 -0500
+@@ -1122,7 +1122,7 @@
+ allow $1 domain:fifo_file rw_file_perms;
+
+ # Act upon any other process.
+- allow $1 domain:process ~{ transition dyntransition execmem };
++ allow $1 domain:process ~{ transition dyntransition execmem execheap execstack };
+
+ # Create/access any System V IPC objects.
+ allow $1 domain:{ sem msgq shm } *;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.2/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-01-19 10:00:41.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/kernel/filesystem.if 2006-01-19 10:42:14.000000000 -0500
+@@ -1826,6 +1826,22 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit Search directories on a ramfs
++## </summary>
++## <param name="domain">
++## Domain allowed access.
++## </param>
++#
++interface(`fs_dontaudit_search_ramfs',`
++ gen_require(`
++ type ramfs_t;
++ ')
+
++ dontaudit $1 ramfs_t:dir search;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.1.13/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-01-13 17:06:04.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/kernel/files.if 2006-01-17 17:46:02.000000000 -0500
-@@ -2135,10 +2135,10 @@
- interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
-- class dir search;
-+ class dir search_dir_perms;
++
++########################################
++## <summary>
+ ## Write to named pipe on a ramfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-2.2.2/policy/modules/services/bind.if
+--- nsaserefpolicy/policy/modules/services/bind.if 2006-01-13 09:48:26.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/services/bind.if 2006-01-19 13:58:34.000000000 -0500
+@@ -165,6 +165,7 @@
')
-- allow $1 tmp_t:dir search;
-+ allow $1 tmp_t:dir search_dir_perms;
+ files_search_var($1)
++ allow $1 named_conf_t:dir search_dir_perms;
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_cache_t:dir search_dir_perms;
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.2.2/policy/modules/services/xdm.te
+--- nsaserefpolicy/policy/modules/services/xdm.te 2006-01-19 10:00:41.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/services/xdm.te 2006-01-19 13:56:19.000000000 -0500
+@@ -74,7 +74,7 @@
+ files_read_etc_runtime_files(xdm_t)
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.1.13/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-01-13 17:06:04.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/kernel/kernel.if 2006-01-17 17:45:26.000000000 -0500
-@@ -1666,6 +1666,7 @@
- typeattribute $1 kern_unconfined;
-
- kernel_rw_all_sysctl($1)
-+ kernel_sendrecv_unlabeled_association($1)
- ')
-
- ################################################################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.13/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2006-01-17 17:08:53.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/services/dovecot.te 2006-01-17 17:43:28.000000000 -0500
-@@ -95,6 +95,7 @@
- files_read_etc_files(dovecot_t)
- files_search_spool(dovecot_t)
- files_search_tmp(dovecot_t)
-+files_search_tmp(dovecot_auth_t)
- files_dontaudit_list_default(dovecot_t)
-
- init_use_fd(dovecot_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-2.1.13/policy/modules/services/fetchmail.te
---- nsaserefpolicy/policy/modules/services/fetchmail.te 2006-01-13 17:06:05.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/services/fetchmail.te 2006-01-17 17:44:58.000000000 -0500
-@@ -29,6 +29,7 @@
- allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
- allow fetchmail_t self:tcp_socket create_socket_perms;
- allow fetchmail_t self:udp_socket create_socket_perms;
-+allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow fetchmail_t fetchmail_etc_t:file r_file_perms;
-
-@@ -41,6 +42,7 @@
-
- kernel_read_kernel_sysctl(fetchmail_t)
- kernel_list_proc(fetchmail_t)
-+kernel_getattr_proc_files(fetchmail_t)
- kernel_read_proc_symlinks(fetchmail_t)
-
- corenet_non_ipsec_sendrecv(fetchmail_t)
-@@ -59,8 +61,11 @@
- corenet_tcp_connect_all_ports(fetchmail_t)
-
- dev_read_sysfs(fetchmail_t)
-+dev_read_rand(fetchmail_t)
-+dev_read_urand(fetchmail_t)
-
- files_read_etc_files(fetchmail_t)
-+files_read_etc_runtime_files(fetchmail_t)
-
- fs_getattr_all_fs(fetchmail_t)
- fs_search_auto_mountpoints(fetchmail_t)
-@@ -78,6 +83,7 @@
- logging_send_syslog_msg(fetchmail_t)
-
- miscfiles_read_localization(fetchmail_t)
-+miscfiles_read_certs(fetchmail_t)
-
- sysnet_read_config(fetchmail_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.13/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2006-01-17 17:08:53.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/services/hal.te 2006-01-17 17:45:44.000000000 -0500
-@@ -48,8 +48,11 @@
- kernel_read_network_state(hald_t)
- kernel_read_kernel_sysctl(hald_t)
- kernel_read_fs_sysctl(hald_t)
-+
- kernel_write_proc_file(hald_t)
-
-+mls_file_read_up(hald_t)
-+
- bootloader_getattr_boot_dir(hald_t)
-
- corecmd_exec_bin(hald_t)
-@@ -139,6 +142,7 @@
- term_dontaudit_use_unallocated_tty(hald_t)
- term_dontaudit_use_generic_pty(hald_t)
- files_dontaudit_read_root_file(hald_t)
-+ files_dontaudit_getattr_home_dir(hald_t)
- ')
-
- optional_policy(`apm',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.1.13/policy/modules/services/procmail.te
---- nsaserefpolicy/policy/modules/services/procmail.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/services/procmail.te 2006-01-17 17:43:28.000000000 -0500
-@@ -99,7 +99,7 @@
-
- optional_policy(`spamassassin',`
- corenet_udp_bind_generic_port(procmail_t)
--
-+ corenet_tcp_connect_spamd_port(procmail_t)
- files_getattr_tmp_dir(procmail_t)
-
- spamassassin_exec(procmail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.1.13/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2006-01-13 17:06:07.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/services/rpc.te 2006-01-17 17:43:28.000000000 -0500
-@@ -48,6 +48,7 @@
- kernel_search_network_state(rpcd_t)
- # for rpc.rquotad
- kernel_read_sysctl(rpcd_t)
-+kernel_sendrecv_unlabeled_association(rpcd_t)
-
- corenet_udp_bind_generic_port(rpcd_t)
- corenet_udp_bind_reserved_port(rpcd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.13/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-01-17 17:08:57.000000000 -0500
-+++ serefpolicy-2.1.13/policy/modules/system/selinuxutil.te 2006-01-17 17:43:28.000000000 -0500
-@@ -415,6 +415,7 @@
- allow run_init_t self:capability setuid;
- allow run_init_t self:fifo_file rw_file_perms;
- allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+ domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)
-
- # often the administrator runs such programs from a directory that is owned
- # by a different user or has restrictive SE permissions, do not want to audit
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.13/policy/users
+ ifdef(`targeted_policy',`
+- allow xdm_t self:process execmem;
++ allow xdm_t self:process { execheap execmem };
+ unconfined_domain_template(xdm_t)
+ unconfined_domtrans(xdm_t)
+ ',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.2/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-01-17 13:22:14.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/system/libraries.fc 2006-01-19 13:00:21.000000000 -0500
+@@ -166,7 +166,7 @@
+ /usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Java, Sun Microsystems (JPackage SRPM)
+-/usr/.*/jre/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
+ /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.2/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-01-17 13:22:14.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/system/unconfined.if 2006-01-19 10:56:11.000000000 -0500
+@@ -45,6 +45,12 @@
+ auditallow $1 self:process execmem;
+ ')
+
++ tunable_policy(`allow_execheap',`
++ # Allow making the stack executable via mprotect.
++ allow $1 self:process execheap;
++ auditallow $1 self:process execheap;
++ ')
++
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execstack;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.2/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-01-17 17:08:57.000000000 -0500
++++ serefpolicy-2.2.2/policy/modules/system/unconfined.te 2006-01-19 13:44:58.000000000 -0500
+@@ -97,6 +97,10 @@
+ modutils_domtrans_update_mods(unconfined_t)
+ ')
+
++ optional_policy(`mono',`
++ mono_domtrans(unconfined_t)
++ ')
++
+ optional_policy(`netutils',`
+ netutils_domtrans_ping(unconfined_t)
+ ')
+@@ -141,11 +145,8 @@
+ webalizer_domtrans(unconfined_t)
+ ')
+
+- ifdef(`TODO',`
+- ifdef(`use_mcs',`
+- rw_dir_create_file(sysadm_su_t, home_dir_type)
+- ')
+- allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
+- allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
+- ') dnl end TODO
++ optional_policy(`wine',`
++ wine_domtrans(unconfined_t)
++ ')
++
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.2/policy/users
--- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.1.13/policy/users 2006-01-17 17:43:28.000000000 -0500
++++ serefpolicy-2.2.2/policy/users 2006-01-19 10:42:14.000000000 -0500
@@ -26,7 +26,9 @@
ifdef(`targeted_policy',`
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.87
retrieving revision 1.88
diff -u -r1.87 -r1.88
--- selinux-policy.spec 17 Jan 2006 22:47:12 -0000 1.87
+++ selinux-policy.spec 19 Jan 2006 19:08:33 -0000 1.88
@@ -6,7 +6,7 @@
%define CHECKPOLICYVER 1.28-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.1.13
+Version: 2.2.2
Release: 1
License: GPL
Group: System Environment/Base
@@ -262,6 +262,16 @@
%endif
%changelog
+* Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.2-1
+- Update to upstream
+- Turn off execheap execstack for unconfined users
+- Add mono/wine policy to allow execheap and execstack for them
+- Add execheap for Xdm policy
+
+* Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.1-1
+- Update to upstream
+- Fixes to fetchmail,
+
* Tue Jan 17 2006 Dan Walsh <dwalsh at redhat.com> 2.1.13-1
- Update to upstream
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- sources 17 Jan 2006 22:47:12 -0000 1.28
+++ sources 19 Jan 2006 19:08:33 -0000 1.29
@@ -1 +1 @@
-a745ed3d3ffc029e59bf246eb1e60d1f serefpolicy-2.1.13.tgz
+63242331a275d209ef381bb16b7e3cc0 serefpolicy-2.2.2.tgz
More information about the fedora-cvs-commits
mailing list